Project

General

Profile

Issue #2692

Basic configuration help using PSK

Added by Yasha Renner 12 months ago. Updated 6 months ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
configuration
Affected version:
5.6.3
Resolution:
No feedback

Description

I'm trying to establish a very basic tunnel using just a PSK between my Android client (via mobile network) and my Ubuntu server at home. Both hosts are behind NAT. I've tried using the configuration examples supplied on the wiki without success. In my DSL modem/router, I have ports 500 and 4500 (UDP) forwarded to the local IP of my VPN server (192.168.0.10). Also, I'm using the built-in VPN client on Android, which provides no log file. I was hoping for some help troubleshooting.

My configuration is as follows:

# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev2
        authby=secret
        leftfirewall=yes
        fragmentation=yes

conn droid
        left=192.168.0.10
        right=%any
        rightsourceip=10.3.0.1
        auto=add
# This file holds shared secrets or RSA private keys for authentication.
10.3.0.1 : PSK test
● strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf
   Loaded: loaded (/lib/systemd/system/strongswan.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2018-06-25 22:26:53 PDT; 13h ago
 Main PID: 8144 (starter)
    Tasks: 18 (limit: 4286)
   CGroup: /system.slice/strongswan.service
           ├─8144 /usr/lib/ipsec/starter --daemon charon --nofork
           └─8159 /usr/lib/ipsec/charon

Jun 26 11:41:23 safenet charon[8159]: 16[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Jun 26 11:41:23 safenet charon[8159]: 16[NET] sending packet: from 192.168.0.10[500] to 66.87.113.51[4800]
Jun 26 11:41:24 safenet charon[8159]: 05[NET] received packet: from 66.87.113.51[4800] to 192.168.0.10[500]
Jun 26 11:41:24 safenet charon[8159]: 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D
Jun 26 11:41:24 safenet charon[8159]: 05[IKE] 66.87.113.51 is initiating an IKE_SA
Jun 26 11:41:24 safenet charon[8159]: 05[IKE] 66.87.113.51 is initiating an IKE_SA
Jun 26 11:41:24 safenet charon[8159]: 05[IKE] local host is behind NAT, sending keep alives
Jun 26 11:41:24 safenet charon[8159]: 05[IKE] remote host is behind NAT
Jun 26 11:41:24 safenet charon[8159]: 05[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(N
Jun 26 11:41:24 safenet charon[8159]: 05[NET] sending packet: from 192.168.0.10[500] to 66.87.113.51[4800]

History

#1 Updated by Yasha Renner 12 months ago

Thank you in advance!

#2 Updated by Yasha Renner 12 months ago

Here's more:

Jun 26 11:41:44 safenet charon8159: 08[IKE] sending keep alive to 66.87.113.514800
Jun 26 11:41:54 safenet charon8159: 09[JOB] deleting half open IKE_SA with 66.87.113.51 after timeout

#3 Updated by Tobias Brunner 12 months ago

  • Description updated (diff)
  • Category set to configuration
  • Status changed from New to Feedback

What IKEv2 client are you using on Android that supports PSK authentication?

Anyway, it looks like the IKE_AUTH message does not arrive at the server. Maybe port forwarding for UDP port 4500 isn't set up properly, or a firewall blocks traffic to that port, or maybe the client has an issue when handling IKE_SA_INIT or producing IKE_AUTH, so check the log there.

#4 Updated by Noel Kuntze 6 months ago

  • Status changed from Feedback to Closed
  • Resolution set to No feedback

Also available in: Atom PDF